Efficient attribute-based strong designated verifier signature scheme based on elliptic curve cryptography

In an attribute-based strong designated verifier signature, a signer who satisfies the access structure signs the message and assigns it to a verifier who satisfies the access structure to verify it, which enables fine-grained access control for signers and verifiers. Such signatures are used in scenarios where the identity of the signer needs to be protected, or where the public verifiability of the signature is avoided and only the designated recipient can verify the validity of the signature. To address the problem that the overall overhead of the traditional attribute-based strong designated verifier signature scheme is relatively large, an efficient attribute-based strong designated verifier signature scheme based on elliptic curve cryptography is proposed, as well as a security analysis of the new scheme given in the standard model under the difficulty of the elliptic curve discrete logarithm problem (ECDLP). On the one hand, the proposed scheme is based on elliptic curve cryptography and uses scalar multiplication on elliptic curves, which is computationally lighter, instead of bilinear pairing, which has a higher computational overhead in traditional attribute-based signature schemes. This reduces the computational overhead of signing and verification in the system, improves the efficiency of the system, and makes the scheme more suitable for resource-constrained cloud end-user scenarios. On the other hand, the proposed scheme uses LSSS (Linear Secret Sharing Schemes) access structure with stronger access policy expression, which is more efficient than the "And" gate or access tree access structure, making the computational efficiency of the proposed scheme meet the needs of resource-constrained cloud end-users.


Introduction
In the modern information society, digital signature technology has been widely used in various fields, and it is an important tool to ensure data reliability and achieve authentication.Digital signature technology has practical applications in the commercial, financial, and military sectors, especially in e-trade, e-checks, e-shopping, e-publishing, and intellectual property protection.
In traditional standard digital signatures, anyone is able to verify the validity of a signature.However, in many applications where the identity of the signer needs to be protected or the public verifiability of the signature avoided, only the designated recipient of the signature can verify the validity of the signature.For example, in electronic voting, the voter wants to protect the privacy of his or her identity, and only his or her designated verifier can confirm that the signature is valid.But the verifier cannot prove that validity to any third party, and even if the verifier publishes his or her private key, it does not allow the third party to trust that the signature was indeed signed by the voter.To solve this problem, Jakobsson et al. [1] first introduced the concept of Designated Verifier Signature (DVS) in Eurocrypt 1996.However, if a third party intercepts the signature message during message transmission, it can be determined that the recipient did not receive the signed message.It can still be determined that the signature was generated by the signer.Therefore, Saeednia et al. formally proposed the strong designated verifier signature (SDVS) scheme in the literature [2], which requires the participation of the verifier's private key in the verification algorithm to complete the verification, thus ensuring the private nature of the verification.Strong designated verifier signature (SDVS) provides higher security than designated verifier signature (DVS), and at the same time, better protects the privacy of the signer.This traditional strong designated verifier signature (SDVS) is all about a signer generating a signature that is assigned to a verifier for verification.However, in practical application scenarios, multiple signatures that satisfy certain conditions or certain attributes are used, assigned to multiple verifiers who satisfy certain conditions or certain attributes to verify the signature.For example, in electronic bidding, bids are sensitive information and are not expected to be freely disseminated.It is well suited to use a strong designated verifier signature (SDVS) for signing.By designating agents with certain qualifications as validators, these agents can confirm the validity of the bid to the bid evaluation experts and other necessary persons, and the bidder himself can confirm to the agents and other necessary persons that the bid is his.Other than this, no one else can judge the validity of the tender, much less confirm the validity of the tender to third parties.
Attribute-based signature (ABS) has strong anonymity, i.e., the verifier can only know from the signature that the attributes of the signer satisfy the access structure but not the specific information of the signer, which can effectively achieve fine-grained access control.It is of great theoretical and practical importance to study attribute-based strong designated verifier signatures by combining attribute-based signatures with strong designated verifier signatures.Workflow of an attribute-based strong designated verifier signature scheme is shown in Fig 1.There are two forms of ABS: key policy attribute-based signature (KP-ABS) and ciphertext policy attribute-based signature (CP-ABS).

The research problem
The currently existing attribute-based strong designated verifier signature schemes involves bilinear pairing operations in the construction process.The computational overhead of one bilinear pairing operation is approximately two to three times that of one scalar multiplication operation on the same elliptic curve [3].Therefore, minimizing the number of calculations of bilinear pairings in the algorithm or cleverly using other operations to achieve the same algorithmic function can improve the efficiency of the attribute-base signature algorithm to some extent.In addition, the access structures of existing attribute-based strong designated verifier signatures are "And" gate or access tree structures, which have many limitations in policy expression and also affect the efficiency of attribute-based strong designated verifier signature schemes.
This study adopts the access structure of LSSS (Linear Secret Sharing Schemes) with stronger access policy expression.The linear secret sharing schemes are more efficient than the access structures "And" gates or access trees by using the linear secret reconfigurable nature of the secret to reconstruct the secret without recursive operations.Meanwhile, the new scheme is based on the elliptic curve cryptography.The scalar multiplication on elliptic curves, which is computationally lighter, is used instead of the bilinear pairing operation, which is computationally more expensive in traditional attribute-based signature schemes.The computational overhead of signing and verification in the system is reduced and the efficiency of the system is improved.This makes the computational efficiency of the proposed scheme meet the needs of resource-constrained cloud end-users.

Our contribution
In this paper, we propose an efficient attribute-based strong designated verifier signature scheme based on elliptic curve cryptography, and optimize the security model for an attributebased strong designated verifier signature scheme.The security of the efficient attribute-based strong designated verifier signature scheme based on elliptic curve cryptography is analyzed.The advantages of this study are as follows.
1. To reduce the computational overhead of the system, the scheme is based on the elliptic curve cryptography, using the more lightweight scalar multiplication on the elliptic curve instead of the complex bilinear pairing operation, which effectively improves the signature and verification efficiency.The security of the scheme relies on the difficulty of the elliptic curve discrete logarithm problem (ECDLP).To the best of our knowledge, our scheme is the first attribute-based strong designated verifier signature scheme constructed using the elliptic curve cryptography.
2. The traditional "And" gate or tree access structure is less expressive, and too many redundant attributes increase the length of the ciphertext key.In order to reduce the system storage overhead, enrich the expressiveness of the access structure and save the communication overhead, we use the more expressive and computationally efficient LSSS (Linear Secret Sharing Schemes) access structure.3. The new scheme uses a concatenated summation algorithm in the signature generation process, so that the length of the generated signature is independent of the number of attributes of the signer and does not vary with the number of attributes of the signer.

Organization
The remainder of this paper is organized as follows.In Section 2, we introduce some related work.In Section 3, we introduce the necessary preliminaries and provide the general form of the attribute-based strong designated verifier signature and its security model.In Section 4, we present an efficient attribute-based strong designated verifier signature scheme based on elliptic curve cryptography.In Section 5, the efficiency of the proposed scheme is analyzed.In Section 6 we summarize the full text.

Related work
In privacy-protected cloud computing environments, e-commerce, social networks, e-voting and other web application scenarios, there exists a security requirement that the signer does not want the authenticity of his digital signature to spread arbitrarily among some unauthorized users.In response to this situation, Jakobsson et al. [1] first introduced the concept of designated verifier signatures in 1996 to make the authenticity of signatures more private.In addition, considering the case that a third party can intercept the signature before it reaches the designated verifier, a strong designated verifier signature system with stronger security is proposed in the appendix of [1].In a strong designated verifier signature scheme, the verifier must use his or her own private key to perform the verification algorithm.In this way, even if the designated verifier signature is intercepted in advance, the third party still has no signature verification capability.In 2003, Saeednia, Kremer and Markowitch [2] gave a formal definition of strong designated verifier signature and gave the first scheme for strong designated verifier signature.This scheme [2] used the Schnorr [4] signature scheme and Zheng [5] signature encryption scheme to propose a strong designated verifier signature scheme, which achieves signer identity privacy by avoiding the use of encryption algorithms and further improves the efficiency of signing and verification.A secure and flexible access control scheme and protocol for M-services based on role based access control (RBAC) [6] in the same year.In 2004, Laguillaumie et al. [7] provided the first formal description of the concept of designated verifier signatures and a formal definition of the signer identity privacy property in strong designated verifier signatures.They also improved the designated verifier signature scheme proposed by Steinfeld et al. [8] at Asiacrypt'03 using bilinear pairs and proposed a new signature scheme that possesses lower computational consumption and proved that the scheme can guarantee the privacy of the signer's identity.Susilo et al. studied strong designated verifier signatures in the context of identity-based cryptosystems and proposed a strong designated verifier signature scheme for IBC [9], which integrates identity-based cryptosystem with strong designated verifier signature to solve the public key certificate management problem.In 2006, a usage control model to protect services and devices in ubiquitous computing environments [10], which allows the access restrictions directly on services and object documents was presented.
In 2008, Zhang et al. [11] applied identity cryptography to propose a novel strong designated verifier signature scheme and proved its security to be close to the Bilinear Diffie-Hellman (BDH) hard problem under the random oracle model.Huang et al. [12] proposed a short strong designated verifier signature scheme and one of its identity-based morphing schemes, also noting that this signature is shorter than the signature lengths of all existing schemes, and finally discussing the short strong designated verifier signature under the standard model.In 2009, Kang et al. [13] demonstrated authorization attacks on some existing identity-based strong designated verifiers and proposed new signature schemes that can withstand authorization attacks.A model for privacy preserving access control which is based on variety of purposes [14] was presented in the same year.Yang et al. [15] similarly proposed a certificate-free strong designated verifier signature regime at the International Conference on Intelligence and Security in that year.In 2011, Huang et al. [16] proposed two efficient strong designated verifier signature schemes, the first one is a strong designated verifier signature scheme under the standard model and the second one is a non-authorized strong designated verifier signature scheme, and suggested that the non-authorized designated verifier signature under the standard model is still a difficult problem.Islam et al. [17] constructed provably secure certificate-free strong designated verifier signature regime using elliptic curve bilinear pairs in 2013.
In 2014, Wang et al. proposed a strong designated verifier signature scheme that is recognizable by the signer [18].In [18], if permission is offered, the signatory can acknowledge that the signature is his own.In 2015, Jiang et al. proposed an identity-based online and offline designated verifier signature scheme [19].In 2015, Zhang proposed a strong designated verifier signature scheme that resists replay attacks [20].In 2017, Masoumeh et al. [21] proposed a strong designated verifier signature scheme.Ge et al. [22] proposed two SDVS schemes that guarantee the privacy of the signer.In 2019, Han et al. [23] proposed certificateless SDVS, which satisfies the requirements of verifiability, non-authorizability, non-transmissibility, and signer ambiguity.In 2020, Zhang et al. [24] proposed secure and efficient quantum DVS scheme, which is theoretically secure and a distributed memetic algorithm (DMA) is proposed for enhancing database privacy and utility [25].In 2022, Venkateswaran et al. proposed the use of a neuro Deep learning wireless intrusion detection system that distinguishes the attacks in MANETs [26].Dharmaraj et al. proposed a feature selection and majority voting based solutions for detecting intrusions [27].In the same year, a novel three-layer DDE framework with adaptive resource allocation (DDE-ARA) [28] was proposed and a multitasking database fragmentation problem for privacy preservation requirements [29] is formally defined.During the same period, Yin et al. [30] proposed a modality-aware graph convolutional network (MAGCN) module to embed multimodality entity attributes and topological graph connectivity features into a unified lower dimensional feature space to boost link prediction performance.In 2023, Ravinder et al. [31] proposed a proactive approach based on natural language processing and deep learning that can enable online platforms to actively look for the signs of antisocial behaviour and intervene before it gets out of control.Ge et al. proposed a distributed prediction-randomness framework for the evolutionary dynamic multiobjective partitioning optimization of databases [32] and a distributed cooperative coevolutionary genetic algorithm (DCCGA) to optimize the MODP problem [33].
In 2008, Maji [34] et al. first proposed the attribute-based signature (ABS) scheme based on the IBS scheme.The access structure consists of a threshold structure consisting of "And" and "Or" and finally proves its security under a general group model.In 2010 Li et al. [35] et al. proposed three schemes, the first one is an ABS scheme with threshold predicates, the second one is an ABS scheme without random oracle machines, and the third one is an ABS scheme with multi-attribute authorities.In 2011, Maji et al. [36] presented a general framework for constructing attribute-based signatures and gave several concrete examples using bilinear pairs.In 2012, Sun et al. [37] proposed a threshold attribute-based signature scheme without trusted central attribute authority that is not only unforgeable under selective attribute and adaptive selective plaintext attacks, but is also resistant to conspiracy attacks.In 2013, Ma et al. [38] designed a secure and provable threshold-based attribute signature scheme.2014, Tang et al. [39] constructed an ABS scheme with limited circuit depth using a mathematical tool of multilinear mapping, further enriching the predicate expression capability.In 2015, Nandi et al. [40] constructed an ABS scheme supporting multiple access methods with control methods including Boolean formulas and conventional languages.In 2016, Sakai et al. [41] proposed an ABS scheme supporting arbitrary circuit depth with good expressiveness via bilinear pairs.In 2017, for application to electronic medical record systems and to reduce the computational overhead, Moro et al. [42] proposed an ABS scheme that can support a tree access structure.Su et al. [43] proposed an attribute-based signature scheme with attribute revocation to protect the privacy of the user's identity.Lu et al. [44] propose an efficient traceable constant-size attribute-based ring signature scheme for electronic health record system, focusing on fine-grained authentication and traceability of file publishers.Ma et al. [45] present an attribute-based blind signature scheme based on elliptic curve cryptography (ECC), and the security of new scheme is proved under the difficulty of the elliptic curve discrete logarithm problem (ECDLP).The access structure of the scheme uses the LSSS matrix.In the same year, an efficient pairing-free attribute-based blind signature scheme based on ordered binary decision diagram [46] is proposed.
Currently, the following works are available on attribute-based strong designated verifier signature.In 2009 and 2012, Shao et al. [47] and Fan et al. [48] proposed attribute-based strong designated verifier signature schemes, respectively, but these two schemes have multiple bilinear pairing operations in the signature and verification process, which makes the overall efficiency of the schemes inefficient.The attribute-based designated verifier signature scheme proposed by Tang et al. [49] in 2014 and the deniable attribute-based designated confirmer signature scheme proposed by Ren et al. [50] in the same year are not true attribute signatures because the secret value y 1 is incorrectly given to the signer in the public-private key extraction algorithm.Based on the paper [50], in 2016, Yan Ren [51] proposed a deniable attribute-based designated confirmer signature scheme under no random prediction model.In 2020 Zhang et al. [52] used a key strategy and then proposed an attribute-based designation confirmer signature scheme with a monotonic Boolean circuit for the access structure using multilinear mapping.The access structure of both schemes is a "And" gate or access tree structure, which involves bilinear pairing operations in the signature and verification process, making the overall system inefficient.
Most existing attribute-based strong designated verifier signature schemes involve complex bilinear pairing operations in the construction process, which are considered to be the most computationally expensive operations in pairing-based cryptographic protocols [53].This makes these solutions overall inefficient and difficult to apply to cloud terminal scenarios or resource-constrained devices.Therefore, minimizing the number of calculations of bilinear pairings in the algorithm or cleverly using other operations to achieve the same algorithmic function can improve the algorithmic efficiency of the attribute-based strong designated verifier signature scheme to some extent.The design of the access structure is also a fairly important part of the construction of an attribute-based strong designated verifier signature scheme.A better access structure not only improves the efficiency of the system and the expressiveness of the access policy, but also reduces the number of attributes that need to be embedded in the signature to shorten the signature length and reduce the communication and storage overhead.

Preliminaries
In this section, we introduce linear secret sharing schemes (LSSS), elliptic curve cryptography, and the necessary security assumption.In addition, the definition and security model of the attribute-based strong designated verifier signature algorithm are provided.

Linear secret sharing schemes
Definition 1 (Access Structure) [54].Suppose that the set of n participants is {P 1 ,P 2 ,⋯,P n }, and P ¼ 2 fP 1 ;P 2 ;...;P n g .If the set A is a non-empty subset of the set {P 1 ,P 2 ,⋯,P n }, then it satisfies A�P \{F}.If 8B,C, satisfying B2A and B�C, has C2A, then A is said to be a monotonic access structure.
Definition 2 (Linear Secret Sharing Schemes Access Structure).Let {P 1 ,P 2 ,⋯,P n } be the set of a series of participants, let M T be the matrix of s×t, and ρ:{1,2,⋯,s}!P be the mapping of each row of the matrix to one of the participants in the set.According to the definition of a linear secret sharing scheme [54], linear secret sharing schemes access structure is defined as the following two algorithms.
1.Distribute(M T ,ρ,α).The input matrix M T with row s and column t, the mapping function ρ and the secret value α2Z p *, randomly selected a 2 ; . . .; a t 2 Z p * , forms the vector v =(α,α 2 ,⋯, α t ), and then output the s shared values fl i ¼ M T i ⋅vg i2½1;s� of attribute ρ(i), where M T i is the i-th row vector of matrix M T .
2.Reconstruct(M T ,ρ,W).The input matrix M T with row s and column t, the mapping function ρ and the set of authorized attributes W2P.According to the Gaussian elimination method, the set of reconstruction constants fw i g i2I can be found in polynomial time, satisfying X i2I M T i w i ¼ ð1; 0; . . .; 0Þ, i.e., X i2I l i w i ¼ a. Then output fw i g i2I , where I = {i2[1,s]:ρ(i)2W}.

ECDLP
In the mid-1980s, Koblitz [55] and Miller [56] respectively proposed the elliptic curve cryptography (ECC), whose security relies on the intractability of the discrete logarithm problem (ECDLP) on the elliptic curve group.The elliptic curve discrete logarithm problem can be described as follows: Let F p denote a finite field and E be an elliptic curve over F p .The point G as the base point of this elliptic curve E(F P ), n is the order of G.A point Q2E(F P ), The elliptic curve discrete logarithm problem (ECDLP) is the search for an integer l2[0,n−1] such that Q = lG.For any algorithm B, the probability of solving the ECDLP is defined as follows, Adv ECDLP ðBÞ ¼ Pr½BðG; lGÞ ¼ l; l 2 ½0; n�� Definition 3. The elliptic curve discrete logarithm problem (ECDLP) is said to be a hard problem if the probability of any algorithm B solving the ECDLP is negligible.

A generic definitions of an attribute-based strong designated verifier signature scheme
An attribute-based strong designated verifier signature scheme generally includes the following five algorithms.

Setup.
SetupðkÞ À !fP pub ; MSK; paramsg A probabilistic algorithm has as input a security parameter k, outputs a system master key MSK and a master public key P pub , and a system public parameter params.A deterministic algorithm that takes as input the message M and its signature σ, the public key PK A of the signer, the private key SK B of the designated verifier and other public parameters params, and outputs a simulated signature σ 0 of the message M.

A security model of an attribute-based strong designated verifier signature scheme
A secure attribute-based strong designated verifier signature scheme needs to satisfy correctness, signer identity anonymity, unforgeability, and privacy non-transmissibility.

Definition 5 (Unforgeability
).An attribute-based strong designated verifier signature scheme is unforgeable under the selective attributes and selective messages attacks when the probability that adversary A can successfully win the above game in polynomial time is negligible.

Privacy non-transmissibility.
An attribute-based strong designated verifier signature scheme p ¼ ðSetup; Extract; Sign; Verify; SimulateÞ satisfies privacy non-transmissibility means that given a message M and a strong designated verifier signature σ, the probability that a third party can determine in polynomial time whether the signature σ was generated by the signer or the verifier is negligible.Privacy nontransmissibility can be defined as the following game in polynomial time between adversary A and challenger C.

Init: Adversary A selects the attribute set W A
* and the set W B * of attributes owned by the designated verifier to be challenged, and sends them to challenger C.

Setup: Challenger C chooses security parameters k, computes (params,MSK) Setup(k),
and sends public parameters params to adversary A.

3.
Queries: Adversary A is allowed to perform polynomial subadaptive queries.
• Key extraction queries.Adversary A sends the LSSS access structure T A and runs algorithm Extract and returns to adversary A the public-private key (PK A ,SK A ) of the signer and the public-private key (PK B ,SK B ) of the verifier.
• Signature queries.Adversary A sends the attribute set W A , the message M, and the attribute set of the verifier W B to challenger C. Challenger C invokes the Sign algorithm to generate signature σ, which is sent to adversary A.
• Verify queries.Adversary A sends message M and signature σ to challenger C, requesting challenger C to verify that signature σ is signed by a signer with attribute W A and designated verifier attribute W B .If σ is a signature generated by a legitimate signer with attribute set W A , then challenger C returns "1", if not, then returns "0".

An efficient attribute-based strong designated verifier signature scheme based on elliptic curve cryptography
Most of the existing attribute-based strong designated verifier signature schemes involve complex bilinear pairing operations and the "And" gate or access tree access structure used in the scheme construction has many limitations in policy expression, which makes the signing and verification process computationally inefficient.To address this issue, an efficient attributebased strong designated verifier signature scheme based on elliptic curve cryptography is proposed and its security is analyzed in this section.

Our construction
In this section we propose an efficient attribute-based strong designated verifier signature scheme based on elliptic curve cryptography including the following five algorithms.
4.1.1.Setup.The finite field GF(p) of order p is chosen, E is an elliptic curve defined on GF(p), and the system chooses the point G as the base point of this elliptic curve.Assume that the set of attributes in the system is U = {1,2,⋯,n} and i is one of the attributes.H : f0; 1g * À !Z p * is a cryptographically secure hash function.Randomly select a 2 Z p * and compute P pub = αG.For each attribute i2U, randomly select the secret value z i 2 Z p * and compute Output public parameters params = {p,G,H,h 1 ,h 2 ,⋯,h n ,P pub }.The master key is MSK = {α, z 1 ,z 2 ,⋯,Z n }.
4.1.2.Extract.Assume that the access structure T A of the signer is (L A ,ρ A ), L A is a matrix of rows and columns S A and t A .The function ρ A is a mapping of rows to attributes about L A .Each row L A j of L A corresponds to an attribute r A j .
The key generation center randomly selects r A 2 ; r A 3 ; . . .; r A t 2 Z p * , constructs the vector

and then calculates d
Output the private key of the signer as The signer signs the message as follows.
Randomly select e 2 Z p * and compute R = eM, r = H(R).
If the attribute set W B of the verifier satisfies the access structure T B , it must be possible to find a set of constant fo The signer sends the signature σ = (R,s,V,Z) to the verifier.

Verify. After the verifier receives the signature σ, calculate r = H(R).
Verify that the equation Z ¼ also holds.

Security analysis
In this section we analyze the security of an efficient attribute-based strong designated verifier signature scheme based on elliptic curve cryptography.The security features mainly include correctness, signer identity anonymity, unforgeability, and privacy non-transmissibility. 4.2.1.Correctness.The efficient attribute-based strong designated verifier signature scheme based on elliptic curve cryptography proposed by us satisfies the correctness.
Proof: When the attribute set W A of the signer satisfies the access structure T A , the same set of reconstruction constants fo A i 2 Z p * ; i 2 ϖ A g as the signer can be found, where According to the properties of the LSSS matrix, a and the system parameters params, the correctness of the signature σ is verified as follows.

Signer identity anonymity.
If the probability that an adversary A can distinguish a legitimate attribute-based strong designated verifier signature in polynomial time without obtaining a signer or designated verifier private key is no greater than 1/2, the efficient attribute-based strong designated verifier signature scheme based on elliptic curve cryptography proposed by us satisfies the signer identity anonymity.
Proof: The game between adversary A and challenger C is as follows.
• Key extraction queries.Adversary A sends the access structure ] of the LSSS matrix L A , and then computes the private key of the signer as

and the public key of the signer as PK
Adversary A sends the access structure * and constructs the vector Compute the private key of the verifier as and the public key of the verifier as PK B ¼ fD B i g i2½1;s B � .
• Signature queries.Adversary A sends the attribute set W A of the signer, message M, and verifier attribute set W B of the verifier to challenger C. Challenger C signs message M according to the signature step.
If the attribute set W A satisfies the access structure T A , then one can obtain a set of constants ; 0; . . .; 0Þ, where If the attribute set W B of the verifier satisfies the access structure T B , then a set of constants fo B i 2 Z p * ; i 2 ϖ B g can be found in polynomial time such that Challenger C sends the signature σ = (R,s,V,Z) to adversary A.
• Verify queries.Adversary A sends signature σ = (R,s,V,Z) to challenger C. Challenger C verifies the signature according to the verification algorithm as follows.
Challenger C computes r = H(R) and verifies that equation If it holds, then challenger C returns "1" to adversary A. Otherwise, it returns "0".

4.
Challenge.Adversary A submits to challenger C two plaintexts of equal length M 0 and M 1 , the attribute set W A of the signer and the attribute set W B of the designated verifier.
Challenger C performs a random coin flip, set to b2{0,1}.Invoke signature algorithm Sign, randomly select e 2 Z p * , compute R = eM b and r = H(R).
Generate the designated verifier signature σ b = Sign(W A , W B ,M b ) = (R,s,V,Z) to send to adversary A.

5.
Output.Adversary A outputs a guess b 0 for b.Before giving the guess, adversary A can make signature queries other than M 0 and M 1 and verify queries other than σ b to challenger C.
In order to obtain the value of M b , e must be derived from R = eM b .Since e is randomly selected, the probability that adversary A determines the true value of M b in polynomial time does not exceed 1/2.Therefore, the proposed scheme satisfies signer identity anonymity.

Unforgeability.
If there exists a polynomial-time adversary A that can crack the proposed attribute-based strong designated verifier signature scheme based on elliptic curve cryptography with a non-negligible advantage ε, then challenger C can solve the problem of the elliptic curve discrete logarithm problem (ECDLP) with a non-negligible probability.
Proof: The finite field GF(p) of order p is chosen, E is an elliptic curve defined on GF(p), and the system chooses the point G as the base point of this elliptic curve.

Init. Adversary A selects the attribute set W A
* of the signer and the attribute set W B * owned by the designated verifier to be challenged, and sends them to challenger C. • Key extraction queries.Adversary A sends the access structure

Setup
] of the LSSS matrix L A , and then computes the private key of the signer as Challenger C sends the signature σ = (R,s,V,Z) to adversary A.
• Verify queries.Adversary A sends signature σ = (R,s,V,Z) to challenger C. Challenger C verifies the signature according to the verification algorithm as follows.
Challenger C computes r = H(R) and verifies that equation If it holds, then challenger C returns "1" to adversary A. Otherwise, it returns "0".Then replaying with the same parameters and choosing a different hash function H 1 (�), challenger C obtains another legal signature σ* 0 for M* according to the forking lemma.Thus both σ* and σ* 0 satisfy the verification equation, then there are the following equations

Forgery. Adversary
Subtract the two formulas to get: Since challenger C knows the process of signature generation and verification, it can calculate Thus challenger C outputs x as a solution to the discrete logarithm problem, that is, if adversary A can successfully forge the attribute-based strongly designated verifier signature equal to cracking the elliptic curve discrete logarithm problem (ECDLP).Due to the fact that the elliptic curve discrete logarithm problem is a challenge based on the elliptic curve public key cryptosystem, no adversary A wins this game by a non-negligible advantage in polynomial time.The scheme satisfies unforgeability.
Proof: The game between adversary A and challenger C is as follows.• Key extraction queries.Adversary A sends the access structure Challenger C sends the signature σ = (R,s,V,Z) to adversary A.
• Verify queries.Adversary A sends signature σ = (R,s,V,Z) to challenger C. Challenger C verifies the signature according to the verification algorithm as follows.
Challenger C computes r = H(R) and verifies that equation If it holds, then challenger C returns "1" to adversary A. Otherwise, it returns "0".
This signature also enables the verification equation The signature σ 0 simulated by challenger C is indistinguishable from the signature σ generated by the signer.The probability that adversary A can determine in polynomial time whether signature σ was generated by the signer or challenger C is negligible.

Efficiency analysis
This section analyses the efficiency of an efficient attribute-based strong designated verifier signature scheme based on elliptic curve cryptography.Table 1 compares our scheme with several other typical attribute-based strong designated verifier signature schemes in terms of access structure, access policy, private key and signature size, signature computation and verification efficiency.Here we have selected four typical attribute-based strong designated verifier signature schemes SABSDVS [47], FABSDVS [48], ZABDCS [52] and TABSDVS [49].
In Table 1, the meaning of each symbol is as follows: w denotes the number of attributes, n is the overall number of attributes, s denotes the number of attributes of the visitor, |G| denotes the length of the group G element, T exp denotes the time of modulo power operation, T bp denotes the time required for bilinear pairwise operation, q 1 is the number of monotonic Boolean circuits or gates, and q 2 is the number of monotonic Boolean circuits and gates.See S1 File.
We analyze the efficiency of the above schemes in terms of the access structure, the number of operations, and the length of the secret key and signature.The algorithm execution time consumption is mainly distributed in exponential (T exp ) and bilinear pairing (T bp ) operations, so the table mainly analyzes these two operations.
As can be seen in Table 1, the scheme has no bilinear pairing operations for both signature and verification calculations compared to other comparison schemes.One bilinear pairing operation on the same curve is 2-3 times more than the scalar multiplication [3].Therefore, it is more efficient to use scalar multiplication on elliptic curves instead of bilinear pairing operations to construct attribute-based strong designated verifier signature schemes in the signing and verification process.In addition, most of the access structures relied on by the existing attribute-based strong designated verifier signature schemes are threshold access structures or access tree structures, which have many limitations in policy expression.The LSSS matrix is stronger in access policy expression and can express any access policy, including "And" gate, "Or" gate and threshold, with flexible access structure [57].The new scheme uses the LSSS access structure to construct an efficient attribute-based strong designated verifier signature scheme based on elliptic curve cryptography, which is more efficient in both signature generation and verification.It is more efficient than the existing attribute-based strongly designated verifier signature schemes.Also, the signature generation process uses concatenated summation operations to make the signature length fixed.Of course, the limitations of the breadth of the literature search may have led to omissions in the comparison scheme, and we will try to improve this in future research work.

Conclusions
It is a hot research topic in the field of cryptography to improve the efficiency and security of attribute-based strongly designated verifier signature schemes as much as possible.Most of the existing attribute-based strong designated verifier signature schemes involve complex bilinear pairing operations, which makes the overall scheme inefficient.To address this problem, in this paper, an efficient attribute-based strong designated verifier signature scheme based on elliptic curve cryptography is proposed and analyzed for its security.In Section 3, we present some background knowledge and optimize the security model of an attribute-based strong designated verifier signature scheme to facilitate better understanding of the newly proposed scheme.In Section 4, we give our construction of a new efficient attribute-based strong designated verifier signature scheme based on elliptic curve cryptography.The security of the proposed scheme is analyzed under the difficulty of the elliptic curve discrete logarithm problem (ECDLP) on which the elliptic curve cryptography is based.The new scheme uses scalar multiplication on elliptic curves, which is more lightweight, instead of bilinear pairing operations, which have a higher computational overhead [58,59].This reduces the computational overhead in the signature and verification process, making the scheme more suitable for cloud endpoint scenarios and resource-constrained devices.The new scheme replaces the bilinear pairing operation with scalar multiplication on elliptic curves providing a new idea for the study of attribute-based strong designated verifier signature schemes.Meanwhile, our scheme uses LSSS matrix to represent the access structure.LSSS takes advantage of the linear secret sharing scheme's secret reconfigurable nature to reconstruct the secret without recursive operations, improves the signature and efficiency of attribute-based signature schemes, and makes the policy expression more flexible.Compared with several attribute-based strong designated verifier signature schemes in Section 5, the new scheme designed in this paper not only improves the efficiency of access policy expression, but also achieves the signature length independent of the number of signer attributes.The new scheme has greater advantages in terms of computational efficiency and storage space.

4 .Definition 6 (
Challenge: Challenger C runs Simulate algorithm and generates a signature σ 0 , which is sent to challenger A. The signature verification equation still holds.If adversary A can distinguish between the signature σ generated by the signer and signature σ 0 generated by the challenger C in polynomial time, then adversary A wins.Privacy non-transmissibility).An attribute-based strong designated verifier signature scheme satisfies privacy non-transmissibility when the probability that adversary A can successfully win the above game in polynomial time is negligible.System model of an attribute-based strong designated verifier signature scheme is shown in Fig 2.

Fig 2 .
Fig 2. System model of an attribute-based strong designated verifier signature scheme.https://doi.org/10.1371/journal.pone.0300153.g002 , and output private key SK A and public key PK A of the signer.Similarly, input system parameters params, master key MSK, access structure T B , and output private key SK B and public key PK B of the signer.A probabilistic algorithm with input system parameters params, private key SK A and public key PK A of the signer, public key PK B of the verifier, message M, output the signature σ of mes-PK B ; M; sÞ À !f1; 0g A deterministic algorithm with input system parameters params, the public key PK A of the signer, the private key SK B of the verifier, the message M and its signature σ, and output whether the signature verification passes or not.If the signature σ is valid, output 1, otherwise output 0.
A ; PK A ; SK B ; PK B g A probabilistic algorithm with input system parameters params, master key MSK,access structure T A A ; PK A ; PK B Þ s !3.3.5.Simulate.SimulateðM; s; PK A ; SK B ; paramsÞs 0 !
An attribute-based strong designated verifier signature scheme p ¼ Setup; Extract; Sign; Verify; SimulateÞ signer identity anonymity without access to the private key of the signer or the designated verifier can be defined as a series of games between adversary and challenger as follows.1.Init: Adversary A selects the attribute set W A * and the set W B * of attributes owned by the designated verifier to be challenged, and sends them to challenger C.2. Setup: Challenger C chooses security parameters k, computes (params,MSK) Setup(k),and sends public parameters params to adversary A.3.Queries: Adversary A is allowed to perform polynomial subadaptive queries.•Keyextractionqueries.Adversary A sends the LSSS access structure T A and T B to challenger C, if T A ðW A * Þ 6 ¼ 1 and T B ðW B * Þ 6 ¼ 1, challenger C runs algorithm Extract and returns to adversary A the public-private key (PK A ,SK A ) of the signer and the public-private key (PK B ,SK B ) of the verifier.•Signaturequeries.Adversary A sends the attribute set W A , the message M, and the attribute set of the verifier W B to challenger C. Challenger C invokes the Sign algorithm to generate signature σ, which is sent to adversary A.• Verify queries.Adversary A sends message M and signature σ to challenger C, requesting challenger C to verify that signature σ is signed by a signer with attribute W A and designated verifier attribute W B .If σ is a signature generated by a legitimate signer with attribute set W A , then challenger C returns "1", if not, then returns "0".4.Challenge:Adversary A submits two plaintexts of equal length M 0 and M 1 ,to challenger C, the attribute set W A of the signer and the attribute set W B of the verifier.Challenger C performs a random coin flip, set to b2{0,1}, and generates a strong designated verifier signature s b ¼ SignðW A An attribute-based strong designated verifier signature scheme satisfies signer identity anonymity under a choice message attack if there exists no adversary A can win the above game with non-negligible advantage Adv anony (1 λ ).fier signature scheme without obtaining the signer's or designated verifier's private key.Unforgeability under selective attribute set and selective messages attack can be defined as the following game in polynomial time between adversary A and challenger C.1.Init: Adversary A selects the attribute set W A* and the set W B * of attributes owned by the designated verifier to be challenged, and sends them to challenger C.2. Setup: Challenger C chooses security parameters k, computes (params,MSK) Setup(k),and sends public parameters params to adversary A.3.Queries: Adversary A is allowed to perform polynomial subadaptive queries.Extract and returns to adversary A the public-private key (PK A ,SK A ) of the signer and the public-private key (PK B ,SK B ) of the verifier.•Signaturequeries.Adversary A sends the attribute set W A , the message M, and the attribute set of the verifier W B to challenger C. Challenger C invokes the Sign algorithm to generate signature σ, which is sent to adversary A.• Verify queries.Adversary A sends message M and signature σ to challenger C, requesting challenger C to verify that signature σ is signed by a signer with attribute W A and designated verifier attribute W B .If σ is a signature generated by a legitimate signer with attribute set W A , then challenger C returns "1", if not, then returns "0".
3.4.1.Correctness.An attribute-based strong designated verifier signature scheme p ¼ ðSetup; Extract; Sign; Verify; SimulateÞ assuming that the set W A of attributes owned by the signer satisfies the access structure T A , the signer outputs the designated verifier signature σ = Sign(M,params,SK A ,PK A ,PK B ) for message M. Assuming that the set W B of attributes owned by the designated verifier satisfies the access structure T B , the designated verifier signature σ generated by the signer must be verified by the verifier, there must be Verifyðparams; PK A ; PK B ; M; sÞ ¼ 13.4.2.Signer identity anonymity.*;WB*; M b Þ, which is sent to adversary A.5. Guess:Adversary A outputs a guess b 0 for b.Before giving the guess, adversary A can make signature queries to challenger C other than M 0 and M 1 and verify queries other than σ b .If b 0 = b, output "1", otherwise, output "0".We define Adv anony (1 λ ) to be the advantage over 1/2 of A in the above game.Definition 4 (Signer identity anonymity).3.4.3.Unforgeability.An attribute-based strong designated verifier signature scheme p ¼ ðSetup; Extract; Sign; Verify; SimulateÞ it is computationally infeasible to construct a legitimate attribute-based strong designated veri-• Key extraction queries.Adversary A sends the LSSS access structure T A and T B to challenger C, if T A ðW A * Þ 6 ¼ 1 and T B ðW B * Þ 6 ¼ 1, challenger C runs algorithm * ; M * ; s and the public key of the signer as PK A ¼ fD A i g i2½1;s A � .Assume that the access structure T B of the verifier is (L B ,ρ B ), L B is a matrix of rows and columns S B and t B .The function ρ B is a mapping of rows to attributes about L B .Each row L B j of L B corresponds to an attribute r B j .The key generation center randomly selects r B 2 ; r B 3 ; ...; r B t 2 Z p ] of the LSSS matrix L B , and then calculatesd B i ¼ l B i þ z r B ðiÞ .Output the private key of the signer asSK B ¼ fd B i g i2½1;s B � .Compute D A i ¼ d B i Gand the public key of the signer as PK B ¼ fD B i g If the attribute set W A of the signer satisfies the access structure T A , it must be possible to find a set of constant fo * , constructs the vector v !B ¼ ða; r B 2 ; r B 3 ; . . .; r B t B Þ, calculates the secret value l B i ¼ L !B i ⋅ v !B for each row i2[1,S B i2½1;s B � .4.1.3.Sign.
. challenger C selects a security parameter k and simulates the generation of public parameters as follows.Randomly selects x 2 Z p * , calculate P pub = xG.For each attribute i2U, randomly select the secret value z i 2 Z p * and compute h i = z i G. Let H : f0; 1g * À !Z p * be a secure cryptographic hash function.Challenger C generates the public parameter params = {p,G,H,h 1 ,h 2 , ⋯,h n ,P pub } and the master key MSK = {x 1 ,z 1 ,z 2 ,⋯z n } to adversary A. 3. Queries.Adversary A can perform polynomial times of key extraction queries, signature queries, and verify queries to challenger C.
A ðiÞ and the public key of the signer as PK A ¼ fD A i g i2½1;s A � .Adversary A sends the access structureT B satisfying T B ðW B * Þ 6 ¼ 1 to challengerC.Challenger C randomly selects r B 1 ; r B 2 ; . . .; r B t 2 Z p Compute the private key of the verifier as d B i ¼ l B i þ z r B ðiÞ and the public key of the verifier as PK B ¼ fD B i g i2½1;s B � .• Signature queries.Adversary A sends the attribute set W A of the signer, message M, and verifier attribute set W B of the verifier to challenger C. Challenger C signs message M according to the signature step.If the attribute set W A satisfies the access structure T A , then one can obtain a set of constants fo A i 2 Z p * ; i 2 ϖ A g such that X i2ϖ A o A i L A i ¼ ð1; 0; . . .; 0Þ, where ϖ A ¼ fi 2 ½1; s A � : r A ðiÞ 2 W A g. Randomly select e 2 Z p * and calculate R = eM, r = H(R), randomly select k 1 2 Z p * and calculate s ¼ k 1 À r X If the attribute set W B of the verifier satisfies the access structure T B , then a set of constants fo B i 2 Z p * ; i 2 ϖ B g can be found in polynomial time such that X A forges the signature σ* of message M*, corresponding to the attribute set of the signer as W A * , and specifies the attribute set of the verifier as W B * to send to challenger C.

1 .
Init.Adversary A selects the attribute set W A * of the signer and the attribute set W B * owned by the designated verifier to be challenged, and sends them to challenger C. 2. Setup.challenger C selects a security parameter k and simulates the generation of public parameters as follows.Randomly selects x 2 Z p * , calculate P pub = xG.For each attribute i2U, randomly select the secret value z i 2 Z p * and compute h i = Z i G. Let H : f0; 1g * À !Z p * be a secure cryptographic hash function.Challenger C generates the public parameter params = {p,G,H,h 1 ,h 2 , ⋯h n ,P pub } and the master key MSK = {x,z 1 ,z 2 ,⋯,z n } to adversary A.3.Queries.Adversary A can perform polynomial times of key extraction queries, signature queries, and verify queries to challenger C.
1,S A ] of the LSSS matrix L A , and then computes the private key of the signer as d A i ¼ l A i þ z r A ðiÞ and the public key of the signer as PK A ¼ fD A i g i2½1;s A � .Adversary A sends the access structureT B satisfying T B ðW B * Þ 6 ¼ 1 to challenger C. Challenger C randomly selects r B 1 ; r B 2 ; . ..; r B t 2 Z p B i þ zr B ðiÞ and the public key of the verifier as PK B ¼ fD B i g i2½1;s B � .• Signature queries.Adversary A sends the attribute set W A of the signer, message M, and verifier attribute set W B of the verifier to challenger C. Challenger C signs message M according to the signature step.If the attribute set W A satisfies the access structure T A , then one can obtain a set of constants fo A i 2 Z p * ; i 2 ϖ A g such that X If the attribute set W B of the verifier satisfies the access structure T B , then a set of constants fo B i 2 Z p * ; i 2 ϖ B g can be found in polynomial time such that X * and constructs the vectorv !B ¼ ðx; r B 2 ; r B 3 ; . ..; r B t Þ.For each row i2[1,S B ] of the LSSS matrix L A , compute l B i ¼ L !B i ⋅ v !B .Compute the private key of the verifier as d B i ¼ l